UK pension schemes urged to improve cyber security measures

New guidance from TPR is aimed at helping trustees and scheme managers meet duties to access the risk of cyber-attacks. Pension schemes are often targeted due to the substantial amounts of personal data and assets they hold.

Pensions expert Charlotte Moss of Pinsent Masons said that pension schemes should be ready to respond to breaches and make sure their cyber security is adequate.

The guidance highlights that trustees and scheme managers are responsible for scheme information and assessments even though, in practice, others may handle data and technology. This means that trustees and scheme managers should understand the scheme’s cyber risk; ensure that those handling data or managing technology have controls in place to reduce this risk and ensure that any incidents that do arise are managed properly.

Moss said: “Schemes need to take steps to understand their scheme’s risk and keep their controls and incident response plans under regular reviews – working with employers, advisors, and third-party suppliers.”

To accurately assess risks, trustees must understand the scheme’s cyber footprint and the digital presence of all parties, such as any participating employers, other advisors, or members.

There must also be an understanding of the critical scheme functions as well as the systems needed to deliver this.  It must be clear who holds or has access to data, and it should be clear where and how data is stored to ensure it is protected against cyber-attacks. Knowledge of the types and likely severity of attacks is vital to ensure appropriate risk and crisis management measures are in place.

This means that many firms may need to rethink protection plans, analyse current measures and ensure reporting measures are in place to notify TPR when needed. Assessments should be carried out regularly, annually at least, as cyber risk is a complex and ever-changing issue that requires a dynamic response.

Further, schemes are required to make sure there is access to relevant skills and expertise to help manage cyber risk. Specialist advice should be sought and applied if these skills are not available in house, with these insights and expertise shared with trusted stakeholders and peers to provide valuable sources of intelligence and allow for scheme-wide protection.

Ensuring controls are in place can help reduce the likelihood of cyber incidents, allow for these attacks to be identified if they do occur and help schemes respond effectively during cyber security breaches. This can be done by checking what is and is not covered by any audits, tests, accreditation or insurance. It may also be advisable to carry out an independent assessment of risk management, completed by a cyber specialist.

Receiving regular reports from relevant parties explaining threats can also allow for greater protection. 

Preventative measures should also be taken over and above regular assessments – for example, staff training relevant to different roles that includes cyber risk awareness and how to report incidents. Staff should also be made aware of any specific policies in place, such as in cases of home and mobile working.

The guidance states that records should be kept on how these risks have been assessed and the steps taken to ensure the right controls are in place. Keeping records allow trustees and scheme managers to demonstrate compliance with their obligations under the new guidance.

Cyber, privacy and technology specialist Ellie Ludlam of Pinsent Masons said: “Since TPR’s initial cyber security principles were published, high-profile breaches have hit the headlines. The regulator now acknowledges cyber risk requires a dynamic response, and a holistic approach to protecting scheme data.”